I just installed OpenBSD 4.6, because I want to use nat to make a very basic firewall to split my ADSL connection between a few computers (some Linux, some Windows). I set up a very basic pf.conf with only what is necessary to use the internet. On my OpenBSD box everything work fine, I have access to any website but on my other computers only 80% of the websites work, other website like "msn.com" and "grc.com" doesn't work, it say 'Waiting for www.grc.com..." in the Firefox status bar. I tried many different settings but nothing work ... Here is my pf.conf:

Code:

ext_if = "pppoe0"
set skip on lo
match in all scrub (no-df max-mss 1440)
nat on $ext_if from !(ext_if$) to any -> (ext_if$)

For now I just want my internet access to be shared to all my computer, I'll add security rules later...

The following section from the pppoe(4) man page discusses the MTU issue but gives a different match rule than yours

Code:

MTU/MSS ISSUES
Problems can arise on machines with private IPs connecting to the Inter-
net via a machine running both Network Address Translation (NAT) and
pppoe. Standard Ethernet uses a Maximum Transmission Unit (MTU) of 1500
bytes, whereas PPPoE mechanisms need a further 8 bytes of overhead. This
leaves a maximum MTU of 1492. pppoe sets the MTU on its interface to
1492 as a matter of course. However, machines connecting on a private
LAN will still have their MTUs set to 1500, causing conflict.
While pppoe(8) has an internal option, ``mssfixup'', which is enabled by
default and takes care of this, pppoe users have to rely on other meth-
ods. Using a packet filter, the Maximum Segment Size (MSS) can be set
(clamped) to the required value. The following rule in pf.conf(5) would
set the MSS to 1440:
match on pppoe0 scrub (max-mss 1440)
Although in theory the maximum MSS over a PPPoE interface is 1452 bytes,
1440 appears to be a safer bet. Note that setting the MSS this way can
have undesirable effects, such as interfering with the OS detection fea-
tures of pf(4).
See pf.conf(5) for more information on MTU, MSS, and NAT.

Could you try this match rule, and see whether that improves the situation?

__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump